From thorhs at basis.is Sun Oct 10 22:15:00 2010 From: thorhs at basis.is (=?UTF-8?B?w57Ds3JoYWxsdXI=?= Sverrisson) Date: Sun, 10 Oct 2010 11:15:00 +0000 Subject: [netflow-tools] Destination AS 0 Message-ID: Hi All, Hope this hasn't been asked and answered yet, kind of hard to google for as 0 :) I've been monitoring my 7200 with netflow v9 and flowd for quite some time now. I've been importing the data to postgres for post processing, but that has gotten slow as the traffic volume increases. So I started writing a program to do the classifications/aggregations in C working on the binary log files, which needless to say is waaaay faster. In the course of debugging I found flows with both source and destination AS 0. I see AS 0 as source or destination when they are originating/terminating at my networks. In these flows source is in my AS, but the other end is outside my AS. The route is in the routing table from BGP so an AS should be available. Is this something others have seen? Perhaps not uncommon? I'm hoping I don't have to revert to classifying by IP since that is quite a lot slower and more error prone than the simple comparison of Ases. Thanks in advance, Thorhallur From mjammann at yahoo.com Tue Oct 12 07:01:35 2010 From: mjammann at yahoo.com (mjammann at yahoo.com) Date: Mon, 11 Oct 2010 13:01:35 -0700 (PDT) Subject: [netflow-tools] (no subject) Message-ID: <670204.58035.qm@web36507.mail.mud.yahoo.com> Spam detection software, running on the system "natsu.mindrot.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: http://cekuxice.tripod.com/ [...] Content analysis details: (5.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low trust [209.191.85.7 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 1.8 MISSING_SUBJECT Missing Subject: header 0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO -------------- next part -------------- An embedded message was scrubbed... From: mjammann at yahoo.com Subject: no subject Date: Mon, 11 Oct 2010 13:01:35 -0700 (PDT) Size: 2108 URL: From mjammann at yahoo.com Fri Oct 15 05:09:00 2010 From: mjammann at yahoo.com (mjammann at yahoo.com) Date: Thu, 14 Oct 2010 11:09:00 -0700 (PDT) Subject: [netflow-tools] (no subject) Message-ID: <643518.45815.qm@web36505.mail.mud.yahoo.com> Spam detection software, running on the system "natsu.mindrot.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: http://foyohuqa.t35.com/ [...] Content analysis details: (5.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.0000] 0.0 FREEMAIL_FROM Sender email is freemail (mjammann[at]yahoo.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low trust [209.191.85.5 listed in list.dnswl.org] 1.8 MISSING_SUBJECT Missing Subject: header 0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO 0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL -------------- next part -------------- An embedded message was scrubbed... From: mjammann at yahoo.com Subject: no subject Date: Thu, 14 Oct 2010 11:09:00 -0700 (PDT) Size: 2103 URL: From baale_nathan2008 at yahoo.com Fri Oct 22 03:10:26 2010 From: baale_nathan2008 at yahoo.com (Balekaki Nathan gerald) Date: Thu, 21 Oct 2010 09:10:26 -0700 (PDT) Subject: [netflow-tools] Wrong Time window: 2010-09-01 21:43:31 - 2010-10-21 16:15:56 Message-ID: <530154.87031.qm@web59713.mail.ac4.yahoo.com> dear all, i have a problem with the time window start time as shown below the ending time of the window is fine. but 2010-09-01 21:43:31 is dating back behind, please help Time window: 2010-09-01 21:43:31 - 2010-10-21 16:15:56 Nate -------------- next part -------------- An HTML attachment was scrubbed... URL: From jloiacon at csc.com Fri Oct 22 04:21:05 2010 From: jloiacon at csc.com (Joe Loiacono) Date: Thu, 21 Oct 2010 13:21:05 -0400 Subject: [netflow-tools] Wrong Time window: 2010-09-01 21:43:31 - 2010-10-21 16:15:56 In-Reply-To: <530154.87031.qm@web59713.mail.ac4.yahoo.com> References: <530154.87031.qm@web59713.mail.ac4.yahoo.com> Message-ID: Which software are you referring to? Joe Loiacono From: Balekaki Nathan gerald To: netflow-tools at mindrot.org Date: 10/21/2010 01:05 PM Subject: [netflow-tools] Wrong Time window: 2010-09-01 21:43:31 - 2010-10-21 16:15:56 dear all, i have a problem with the time window start time as shown below the ending time of the window is fine. but 2010-09-01 21:43:31 is dating back behind, please help Time window: 2010-09-01 21:43:31 - 2010-10-21 16:15:56 Nate _______________________________________________ netflow-tools mailing list netflow-tools at mindrot.org https://lists.mindrot.org/mailman/listinfo/netflow-tools -------------- next part -------------- An HTML attachment was scrubbed... URL: